Which is how I know that Acrobat Reader 9.1 and 8.1.4 for Unix were released yesterday, right on time. As expected, these address the JBIG2 vulnerability from Security Advisory APSA09-01 and Security Bulletin APSB09-03, which is known to have been exploited by targeted malware.

Happily, Adobe has now advised that some other vulnerabilities we’ve been hearing about have also been addressed in these and the other updates we’ve mentioned previously. Several other JBIG2 issues described by Adobe as critical have now been publicly acknowledged by the company, and a new security bulletin update suggests that discrepancies in patch levels between different versions from 7.x to 9.x have now been regularized.

In an article for Computer World, Gregg Keizer notes some disquiet with Adobe’s secretiveness over the scope of these patches. It doesn’t seem to me that Adobe acted inappropriately in communicating only the vulnerability for which there was a known workaround until a patch was available, as they had no grounds to suspect that there were exploits for those vulnerabilities in the wild.

You may remember that we’ve advised you to disable JavaScript in Acrobat unless you have a definite need for it, and that I noted that it is still enabled by default in the updated versions (at least, those I have access to).

It’s actually a little more annoying than that. I now find that every time I open a PDF on this system, Acrobat informs me that JavaScript is enabled in the document (even when I’ve just created it on a system with JS disabled), and prompts me to re-enable it in the application. While there may be no signficant danger in re-enabling it right now, that may not always be so, and in any case I’d prefer it if Adobe would be a little less insistent.